I am developing an iframe for use on a number of our partners websites.

Is there any way I can make sure it can only be used on those websites and not by anyone else

I was intending to add a pulsory querystring to the URL for the website. Each partner would have a different value in the quesrystring dnd use that to look up an allowed domain

However, is there anyway to know the top level domain of the site hosting the iframe?

Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?

Or do you need to send the domain from javascript?

Any advice?

I am developing an iframe for use on a number of our partners websites.

Is there any way I can make sure it can only be used on those websites and not by anyone else

I was intending to add a pulsory querystring to the URL for the website. Each partner would have a different value in the quesrystring dnd use that to look up an allowed domain

However, is there anyway to know the top level domain of the site hosting the iframe?

Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?

Or do you need to send the domain from javascript?

Any advice?

• c#
• javascript
• html
• http

4 Answers 4

However, is there anyway to know the top level domain of the site hosting the iframe?

Nothing reliable.

Presumably this is not sent in the http request for the iFrame? Or is it, I couldn’t see it?

It might be sent in the referer

Or do you need to send the domain from javascript?

If you want to fetch it from the framed page, you will be blocked by the same origin policy.

If you want to sent it from the framing page, you will be putting it in the query string and you can't trust it because it can be set to whatever the person writing the framing page likes.

There is also the X-Frame-Options header (but that has limited browser support).

The most reliable solution I can think of is:

1. Require the origin to be specified in the query string used to load the frame
2. Check the referer. If it doesn't match your white-list and is not blank, redirect to a page that is blank except for a link to your site with target="_top" and some JavaScript that top.location = "your site"
3. Check that the origin specified in the query string is on your whitelist, if it isn't act in the same way as a rejected step 2
4. Output an X-Frame-Options header that limits the framing to the specified origin

That is likely to catch enough browsers to discourage the framing site from framing your site.

You can try to check referrer which normal browser will send for IFrame requests on the page.

You also can use "x-frame-options" header covered in (How to Block Iframe call and MDN ) but not every browser will respect that (on other hand it is more reliable if browser supports it).

iframe's sanbox attribute might be helpful in controlling the various security aspects in an iframe including origins
http://www.html5rocks./en/tutorials/security/sandboxed-iframes/

The Architecture Journal of 2007 has a nice article about this: Secure Cross-Domain Communication in the Browser

Basically what the article suggests is: If you have page A on domain 1 with an iframe with page B on domain 2 as its source , then having an iframe on page B to page C on domain 1, would allow you to pass information across domains

I haven't tested it, but this sounds like it could work.

Another possibility is create a file with a special filename (for instance a hash of the URL of page B on domain 2) and basic extension (like .htm) and place it in the root of domain 1. Checking whether the file exists on domain 1 cannot be done by javascript however, so it should be done with server side code.